Hi folks.
Just wondering if I can change the ownership on the nginx logs folder so I can access them easier for analysis on a regular basis and cronjobs.
/var/log/nginx is owned by nginx:nginx which shuts me out.
Cheers, Bee
Add group nginx to your user... usermod -G nginx,... username (Where .... Is any other groups you're a member of, not counting your primary group)
On Fri, May 3, 2019, 3:03 PM Bee.Lists bee.lists@gmail.com wrote:
Hi folks.
Just wondering if I can change the ownership on the nginx logs folder so I can access them easier for analysis on a regular basis and cronjobs.
/var/log/nginx is owned by nginx:nginx which shuts me out.
Cheers, Bee
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Just did that, and I still can’t do this:
$ cd /var/log/nginx
-bash: cd: /var/log/nginx: Permission denied
On May 3, 2019, at 7:22 PM, John Pierce jhn.pierce@gmail.com wrote:
Add group nginx to your user... usermod -G nginx,... username (Where .... Is any other groups you're a member of, not counting your primary group)
Cheers, Bee
Just did that, and I still can’t do this:
$ cd /var/log/nginx
-bash: cd: /var/log/nginx: Permission denied
What's the access mode of it? Should probably be mode 770 then.
Regards, Simon
On May 3, 2019, at 7:22 PM, John Pierce jhn.pierce@gmail.com wrote:
Add group nginx to your user... usermod -G nginx,... username (Where .... Is any other groups you're a member of, not counting your primary group)
Cheers, Bee
CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
I will give 770 a try. Nobody going to flip now that a single “7” has been posted?
On May 6, 2019, at 12:06 AM, Simon Matter via CentOS centos@centos.org wrote:
What's the access mode of it? Should probably be mode 770 then.
Cheers, Bee
On May 6, 2019, at 10:14 AM, Bee.Lists bee.lists@gmail.com wrote:
I will give 770 a try.
Try 750 first. You don’t need write access to do what you’re asking.
Also, the group membership change won’t take effect until you log out and back in.
Nobody going to flip now that a single “7” has been posted?
There is a clear analogue to herd immunity here:
https://en.wikipedia.org/wiki/Herd_immunity
When sysadmins of Internet-attached hosts do things to make those hosts less secure, that makes them easier to take over, which means the botnets and stolen databases get bigger, which puts the rest of us on the Internet at greater risk.
So yeah, I think the rest of us do have some say in how you manage your systems’ security. Not total, of course, but you should not dismiss good advice as “flipping.”
In this particular case, the risk is that there is some credential or other sensitive info logged by nginx which is now easier for an attacker to get at. Those logs are hidden away for that reason and more.
How big that risk is only you can say at this point. If you’ve got a purely static web site, for instance, there’s probably nothing important in that log, but if it’s acting as a reverse proxy for a back-end service, nginx might be logging passwords and such.
On May 6, 2019, at 10:14 AM, Bee.Lists bee.lists@gmail.com wrote:
I will give 770 a try.
Try 750 first. You don’t need write access to do what you’re asking.
Also, the group membership change won’t take effect until you log out and back in.
Thanks to correct me, both things are true, if he only wants to read logs there, the 750 is sufficient of course.
Regards, Simon
Yeah I was still having some issues so I set a cron to rsync the directory out to another directory that I rsync to another machine to, where I do the analysis.
As per the “7” comment, I always listen to good advice, but usually that advice gets completely derailed with someone saying “nobody should ever be root…”, etc. Best stated, “some people never let their kids play outside”. I have a neighbour like that.
So all is working, but under testing.
On May 6, 2019, at 10:40 PM, Simon Matter via CentOS centos@centos.org wrote:
Thanks to correct me, both things are true, if he only wants to read logs there, the 750 is sufficient of course.
Cheers, Bee
On May 7, 2019, at 7:14 AM, Bee.Lists bee.lists@gmail.com wrote:
As per the “7” comment, I always listen to good advice, but usually that advice gets completely derailed with someone saying “nobody should ever be root…”, etc. Best stated, “some people never let their kids play outside”. I have a neighbour like that.
Your CentOS box is nowhere near as well-defended as an unattended human child. The child has millions of years of evolution providing it with an active self-improving immune system, a mammal’s agility, and an apex predator’s cunning.
If you want a human analogue to a CentOS box, it’s closer to a premature baby in a neonatal intensive care unit. It requires constant inputs from the caregivers and strict adherence to basic guidance like “Don’t open all the doors leading outside at once” to keep these cared-for creations alive.
On 4/5/19 8:03 am, Bee.Lists wrote:
Hi folks.
Just wondering if I can change the ownership on the nginx logs folder so I can access them easier for analysis on a regular basis and cronjobs.
/var/log/nginx is owned by nginx:nginx which shuts me out.
Cheers, Bee
Here's a twist to the other provided solutions. I find it easier to leave permissions as they are and instead use ACL's. That way, I can remove the ACL's (# sudo setfacl -b /path/to/dir) and not worry about what the original permissions were.
This is how I'd sort it out:
First, I'd create a default ACL (this will allow new files in the directory to inherit the ACL): # sudo setfacl -d -m u:<your_user_name>:rwx /var/log/nginx
Next, I'dd apply the ACL to the directory: # sudo setfacl -m u:<your_user_name>:rwx /var/log/nginx
Finally, I'd ensure that I can access existing files in that directory: # sudo sh -c "find /var/log/nginx -maxdepth 1 -type f -exec setfacl -m u:<your_user_name>:r {} ;"
Caveat: I use EXT4 so not sure how this would play with other file systems.
-
Anthony K -
Bee.Lists -
John Pierce -
Simon Matter -
Warren Young